- No commercial sale of your data We do not license personal information, demographics, or clinical records to advertisers, and we do not use them for unrelated commercial purposes.
- Consent before onboarding You must accept our Terms and this policy before sign-in. Demographic or sensitive profile fields are gated—we ask for them only after that step, and only when a feature you use requires them.
- One connected platform Data may flow between Synergenix products you use for care so teams see a consistent picture. Our revenue comes from clinical intelligence services you contract for—not from off-platform profiling or advertising.
01 What we collect
Website: contact and demo request details. Patient apps (including Synergenix Care): account information (such as name and email from sign-in), health content you choose to add, device and notification settings, and permissions you enable. Demographic and profile details (for example delivery pincode, emergency profile fields, or similar information) are collected only after you accept our Terms and Privacy Policy and only when you enter them for a feature that needs them—we do not require demographic information before you can sign in. Hospital dashboards: clinical data your organization enters for oncology, critical care, and related workflows. Linked services: only data you authorize from pharmacies, labs, or other providers.
02 How we use your information
We use data to operate the Synergenix products you or your organization use: patient app features, clinical dashboards, secure AI-assisted workflows, notifications you enable, and platform security. We do not sell personal information, demographics, or clinical records to advertisers or use them for unrelated commercial purposes.
03 Regulatory & privacy compliance
We implement safeguards appropriate for healthcare data and are designed to support HIPAA-aligned practices, GDPR, DPDP 2023, and local requirements for each deployment. We do not claim full HIPAA, ISO, or SOC certification unless we publish a specific attestation. Enterprise customers receive business associate agreements (BAAs), data processing agreements (DPAs), and security exhibits during procurement.
| Framework | Our role | Instrument |
|---|---|---|
| HIPAA (U.S. PHI) | Business associate (when applicable) | BAA + security exhibit |
| GDPR (EEA / UK) | Processor | DPA + SCCs where needed |
| DPDP (India) | Data fiduciary / processor per context | Notice, consent, contract |
| Hospital local rules | Processor on instructions | Customer agreement + DPA |
04 AI & training data
We do not train shared models on your patient data unless you authorize it in writing. Data remains in your tenant for inference and the workflows you enable. Tenants are logically isolated. Any optional model-improvement use—only under contract—may involve de-identified data subject to contractual limits on re-identification.
06 Security & audit
We use RBAC, MFA for privileged accounts, encryption in transit and at rest, least privilege, environment segregation, monitoring, backups, and vendor review. Access to records and sensitive actions is logged for customer administrators where supported.
| Control | Implementation | Status |
|---|---|---|
| Encryption in transit | TLS 1.2+ for API, web, and service traffic | Active |
| Encryption at rest | Cloud provider encryption for databases and object storage | Active |
| RBAC | Role-based permissions for customer users and internal staff | Active |
| MFA | Required for privileged and administrative accounts | Active |
| Least privilege | Access scoped to job function; periodic review | Active |
| Audit logging | Logged access and material actions (see audit section) | Active |
| Environment segregation | Production separated from development and test | Active |
| Vulnerability management | Patching and dependency review on infrastructure | Ongoing |
| Backups & recovery | Regular backups with restore testing | Active |
| Security monitoring | Monitoring for anomalous access and operational alerts | Active |
| Workforce confidentiality | Access limited to personnel who need it; confidentiality obligations | Active |
| Vendor / subprocessor review | Due diligence and contractual data protection terms | Active |
| Independent security testing | Periodic penetration testing and remediation tracking | Ongoing |
07 Retention & deletion
We retain data only as long as needed to provide the service, meet contractual obligations, or comply with law. The schedules below may be superseded by your hospital or enterprise agreement.
| Data type | Retention |
|---|---|
| Patient / clinical records | Per customer agreement and applicable regulatory requirements |
| Platform audit logs | 12 to 24 months (or longer if contract requires) |
| Backup copies | 30 to 90 days in rolling backup systems, then overwritten |
| Deleted account metadata | Up to 90 days, then purged from active systems |
| Security and access logs | 12 months unless investigation or contract requires longer |
| Support and inquiry logs | 12 months, then deleted or anonymized |
| Deleted customer / tenant data | Removed from active systems within 30 days; backups expire per backup row above |
Synergenix Care app users: to delete your account or personal data, use Contact Us and choose the Synergenix Care deletion topic in the form, or email director@synergenixailsc.com. We will get back to you after we review the request. Deleted data is removed from active systems on the timelines above; backup copies expire as described in the backup row.
08 Incidents
We follow documented procedures to detect, contain, assess, notify customers and authorities where required (including HIPAA, GDPR, and DPDP, as applicable), and remediate. Report suspected incidents to director@synergenixailsc.com with the subject line Security Incident. Notice timelines for enterprise customers are defined in your BAA or DPA.
09 Subprocessors
We use vetted service providers to operate the platform. They process data only on our instructions, under data-protection terms, and may not use customer data for their own products. Representative subprocessors include:
| Purpose | Provider | Data involved |
|---|---|---|
| Cloud hosting & compute | Google Cloud Platform (primary) | Application and database hosting |
| AI inference | Enterprise AI API providers (under contract) | Prompts and outputs for features you enable; no training on your data by default |
| Authentication | Google Sign-In; enterprise SSO when configured | Account identity tokens |
| Email delivery | Transactional email provider | Addresses and message content for notifications |
| Observability | Logging and monitoring tools | Operational logs; PHI minimized in logs where feasible |
A full subprocessor list with locations is available under an enterprise contract.
10 Data residency
Production systems run on Google Cloud Platform unless your contract specifies another region. Cross-border transfers rely on DPAs, standard contractual clauses (SCCs) where required, and encryption. Hosting geography can be agreed at contract signing.
11 Roles
Obligations depend on whether your organization is the healthcare provider (data controller or covered entity) or Synergenix is processing data on your instructions (processor or business associate). A typical split for hospital deployments:
| Topic | Customer (hospital / insurer) | Synergenix |
|---|---|---|
| Lawful basis & patient notice | Defines purposes, notices, and consents for care | Processes per contract and documented instructions |
| BAA / DPA | Executes agreement with Synergenix | Signs BAA or DPA when required; maintains subprocessor list |
| Clinical content & accuracy | Responsible for clinical decisions and record content | Provides assistive tools; does not replace clinician judgment |
| Access & workforce training | Manages user provisioning and hospital policies | Provides RBAC, audit logs, and platform security controls |
| Data subject requests | Often first point of contact for patients | Assists and responds per DPA and product capabilities |
| Breach notification | May have direct duties to patients and regulators | Notifies customer per contract; supports investigation |
12 Your requests
You may request access, correction, deletion, or export where your law and role allow. Email director@synergenixailsc.com or use Contact Us (Synergenix Care users: select the deletion topic in the form). Hospital users should also contact their institution’s privacy officer for records held by the tenant. We respond within applicable timelines (including under DPDP and GDPR) after verifying your identity.
13 Enterprise pack
Procurement teams may request BAA or DPA drafts, subprocessor lists, security questionnaires, architecture diagrams, incident and retention summaries, and data protection impact assessment (DPIA) support. We share SOC 2 or ISO reports only when available; we do not claim certification on this page. Contact director@synergenixailsc.com.
14 Children
Our services are not directed at children under 13 (or the minimum age in your jurisdiction). We do not knowingly collect their personal data except where a hospital or legal guardian uses the product on behalf of a patient.
15 Contact
For privacy and security questions, email director@synergenixailsc.com or use Contact Us. We update this policy by changing the date at the top of the page.